Nasty Trojan / Virus HELP! :(

Printable View

July 16th, 2002, 06:32 PM
jared_c

Nasty Trojan / Virus HELP! :(

I can't find any information on this. As a lot of you know, I have been having some network problems recently. Well, I think I found out the problem. My Windows 2000 Server machine has been ifnected by a nasty Trojan / combo of Trojans.

I posted a few weeks ago about weird login attempts into my FTP. Specifically people trying to log in as weird names such as "spring" and "upload". I also mentioned they were coming from China IP Addresses.

Well lately I have been having major bandwidth problems. My web server was sending and recieving so much data that my entire 1 mbps DSL connection was screwed. I was getting ping replie of over 1500 ms. Terrible.

So I started messing around with the web server. I noticed that right before the web server shutsdown the ping reply quick went back to normal. Same as when the server is started. It would be excellent ping time, then about a minute later after all the services started the ping reply would turn to crap again.

I went through my windows services, and started stopping them one by one while i did a constant ping from outside the network. I got to one service and stopped it, suddenly the ping turned back to normal. That service was the culprit. Turns out it was Serv-U FTP by Rhinosoft. Running secretly in the background on some really high port. After I looked into it more, I found out there was a hidden folder on my hard drive called download which contained over 14 gigs of Chinese porn movies.

I uninstalled Serv-U. Typically the program was built to look like it was a professional useful program, but every knows that it is made to be used by crackers. Just like BO2K. with options to hide the fact that it is running. Anyway I remove that, delete all the porn.

Then I find a txt. file named: SanTuo.txt in my c: drive which contains the admin login, password, and server name. I delete it, but when I restart the text file is re-written. I tried doing research about this file in google, but I only get a result of about 10 chinese web sites. Could this possibly be a Trojan that has not been picked up yet? I have Norton AntiVirus Corporate Edition installed on the servers as of yesterday, but it doesn not pick up any viruses or trojans. I did a full system scan, and nothing.

So basically does anyone have any information on a virus/trojan that creates a text file: SanTuo.txt? I searched the forums, and nothing. I searched other security sites such as securityfocus.com and came up with nothing. Pretty freakin nasty. I want to get to the bottom of this before I change my admin password.

I am boggled about how this person got it installedon the system. I have locked down the computer a lot after the installation date, thanks to the help of o guys, so it was installed before I started locking down the box. Previously NETBIOS over TCP/IP was enabled, but I am not sure if that is how the person was actually able to run and install that trojan.

Any help would be appreciated. Crazy stuff. I never thought securty would get so complex.
July 16th, 2002, 06:41 PM
khakisrule

Yup, I've gotten trojans that rewrite themselves too. I got rid of one by making sure there were no registry keys related to that program. Then I did a thorough search of the computer for unknown files. Then I got a program to let me customize my startup, I found the file that was recreating the trojan and deleted it. Best chance is to do that, try looking through your computer for anything that looks unusual, like system32.exe, thats what I had. You might want to try retstarting in safe mode to run the program and also release your IP, you don't want to run the risk of letting somebody into your computer. And make sure you look through the registry, do you have win2k? I don't know if win2k has a registry, probably does though. BTW got any porn left? j/k :)

EDIT: BTW my NAV never detected the virus before, I scan every program that I run, and NAV never said a thing. And even later, when I ran a port scanner and found some unexplained open ports, and realized system32.exe which I has become suspicious about was a trojan, I did a full computer AV scan, still nothing from NAV. I don't know why that is, in the end, my computer became slow and laggy, my ram was being used for no reason, and my h/d would start spinning, my whole computer screwed up. I had to reinstall windows. SO... BACKUP YOUR IMPORTANT DATA NOW!! I wish I had. :(
July 16th, 2002, 06:46 PM
Maverick811

Has a detailed virus scan not cleaned up your server? That's odd, unless you have gotten a hold of some new undiscovered trojan/virus. I would take the advice of khakisrule, and start looking into your registry for your answers. You may want to try running a registry cleaner, in hopes that it will detect a bad key. It may take some time, but I'd start sifting through the main system folders such as WINNT, WINNT\system, etc, with the Show All Files option turned on and see if you see anything strange. You are obviously still infected with something, it's going to take some digging to find it. Update your DAT files for your AV software, and do a complete scan. I'm quite surprised AV software hasn't picked this thing up.
July 16th, 2002, 06:52 PM
DjM

jared - there is another possibility. This might not be a Trojan at all, you may have be hacked and all this stuff your finding is being put their manually. Is this box behind a firewall?

Cheers:
July 16th, 2002, 06:57 PM
alittlebitnumb

There are FXP groups out there that hijack FTP's for warez, pr0n and the like, and your server could have been hijacked by a person scanning around for open FTP's, finding an opening and upping the files. I do not know how this is done exactly, but I have seen many FXP boards with people scanning, tagging and looking for places to trade this stuff with the quickly depleting resources for posting warez and the like. What bothers me is the text file that is present with your admin pass and other sensitive info in plain text...

Port sniffer, perhaps? If it is a port sniffer, then it would be possible to grab your admin pass then use the machine for whatever you want good permissions or not.

Also, or additionally,

With many exploits for IIS, somebody might have used one of these exploits, made an exploit (more likely the former) to gain access to your machine. As for ServU, somebody might have upped the file in the FTP directory with the modified/poor permissions, installed it remotely, and used that server on a high port to evade your detection; and why not? ServU is not detected on AV anti-trojan anyway, and if I were a warez puppie, that would be ideal...

And if a trojan was upped, there are 1500-2000 trojans and its variants out there and would be kind of difficult to determine what it was in the first place, especially if the attacker removed the server after gaining access to the FTP to serve Orietal pr0n.

However, I could be wrong, but keep us posted. This could be interesting...
July 16th, 2002, 07:07 PM
khakisrule

Serv-u has quite a few exploits, I've heard of plenty, I reccomend you stop using it. Try using the xitami server, it has an http server as well as an ftp server. Its secure and only a handful of exploits have ever been discovered for it. And as for hijacking servers, I would say, find a way to contain the damage, and then let them do it, get all the software you can, wait about 2 days to see if they upload anymore to you and then cut them off with a reinstalled firewall. Make sure to uninstall serv-u. It just isn't that secure.
July 16th, 2002, 07:10 PM
jared_c

It is not behind a firewall... I wish it was, and I want it to be.. but I am having so much trouble finding one that will work with my setup. Maverick, I checked the one you mentioned out, and customer support said SOHO won't do what I need. I would have to get a different model, and I can't afford it.

One thing I noticed in services, there are a lot of services running using c:\winnt\system32\svchost.exe they have -k netsvcs after them. Looks a little strange to me. Any ideas?
July 16th, 2002, 07:11 PM
qwerty_smith

i have some suggestions to help reap some info.

Active Ports, Smartline, inc.
http://www.majorgeeks.com/article.php?sid=682
this one should show all open ports on the machine

Adaware, Lavasoft
http://www.lavasoftusa.com/
should identify anything nw added to registry etc.

Trojan Remover
http://www.simplysup.com/
should find things that look like trojans CAUTION: may find things that are not trojans

hope this helps…
July 16th, 2002, 07:14 PM
jared_c

khakisrule, thanks for the info, but the thing is I didn't install Serv-U. Whoever pulled this off did. I am guessing that is how the trojans got on here to, probably by exploits through that. I think things are a lot better than they were, but now I am cleaning up all the mess, and trying to make sure my system is clean. I'm going to go download a startup editor so I can view the registry keys, and other things that startup at boot. The thing is there are so many services under Windows services right now I don't know what ones are legit, and what ones aren't. Sucks.
July 16th, 2002, 07:34 PM
nebulus200

http://www.blkviper.com/WIN2K/win2k.htm

Good about listing which services there are and whether you need them or not. Most of the calls to service are probably legit, not really sure why M$ does it that way, but it does do it alot. If you have any other spare machines around, you might could install a regular copy of win2k and use it as a baseline to compare with what you have...

There are also some tools available that will allow you to see what ports you have opened on your system, what process is using them, etc. Those can be helpful in detecting trojan's.
There are some somewhat helpful tools at :
www.incident-response.org/windows.htm

Now as to what originally happened, you mentioned you had netbios over tcp/ip turned on. Do you have your administrative shares and anonymous access restricted ? That would definitely be a way in...I am assuming you are using IIS as the web server...how much securing did you do ? Did you turn off index service, did you have all the latest patches, etc ?

Neb
July 16th, 2002, 07:43 PM
Tedob1

hey jared_c, what service packs are installed, if you don't remember type 'winver' in the run box.

after you figured out how it happened, don't even consider just changing your admin pwd. you HAVE TO reformat and reinstall. you have no idea whats been changed or added to your system. apply all service packs before you put it back on the internet. then go directly to windows updates and apply all the critical updates.

the guy selling porn from your box will just blow it off and keep on going, but the kiddies, whose playground you took away will be out for vengence.
July 16th, 2002, 07:52 PM
khakisrule

Quote:

khakisrule, thanks for the info, but the thing is I didn't install Serv-U. Whoever pulled this off did

LOL, sorry, but that really sucks. I was lucky, my trojan was never accessed, when I thought it was being used, I stopped using my net connection and looked to see if the green lights on my modem were flashing, they weren't. Eventually the trojan killed my computer anyways. Well, I've heard of people using programming langs to close sockets, that could work. I dunno though. Go through your folders and put any odd files in google and see what comes up. I didn't do that with system32.exe, but I'm gonna look at that now. ARE YOU BACKING UP!?! Make sure you do. And seriously though, let them upload their warez to you, and then keep it, instead put a small .txt file in your serv-u folder that laughs and swears in chinese. Thats better than JUST closing up your ports, better to have revenge. Maybe they even deleted their copies of the software when they uploaded it to you. BTW Didn't you notice 18 gigs that were missing????? And to the bum who swore at me for say NAV didn't detect my virus and that I was advocating it in another thread, I say this. No AV program is perfect, it depends on the virus, and it's popularity. The trojan I had may have been rare and so the Norton team in charge of updates never made a fix for it.
July 16th, 2002, 08:01 PM
Zadok0552

You have received some really good advice here.

I was just directed to Anti-Trojan, and it is GREAT software!!! You get 15 days free, so it will help you with your efforts to eliminate any trojans and POTENTIALS for trojans.

www.antitrojan.net ---- Hey it checks the registry, too!

Like another poster had mentioned, you MAY have been hacked and Serv-U placed there by the hacker. You know - something as simple as an email attachement would do it.

Cheers,

Zadok
July 16th, 2002, 08:06 PM
jared_c

nebulus200, I do have administrative shares and anonymous access restricted now. When things started getting strange I did that. Everyone here helped me out and suggested that be the first thing to do. I do not thing I have index service turned off.. What are the potential hazards in this? I do have all the latest service packs and patches installed. I use Windows Critical Notification as well. As for other things I have done to lock down, I have removed all sample files, and also unmapped extenstion from IIS that aren't being used such as htr, htw, etc.... No FTP services running have anonymous access enabled.

Tedob1, I guess that is what I am going to have to do. I will reformat and all that, but I want to get to the bottom of this while I can. Though I look at this as a real shitty thing to happen, I am also looking at it as a major learning experience to help prevent this from happening again. Also it gives me a view from the cracker's side by seeing what they have done.

khakisrule, thanks for the suggestions, but I want to use this box to host sites. I actually have a few on there now, that is why I am bugging out about this. I can't play around like that. If it was a personal comp, I would, but not a business comp. I do weekly backups, and everything is saved.

Now for more nitty gritty fun stuff. I just downloaded this really great tool called AATools. It tells me what processes are running on what ports. Currently I am running DNS, IIS, and PCAnywhere. Those are the only programs that should be using ports that are open to the internet.

Here is what is running on my system. Any ideas? Some ports seem pretty strange.

dns.exe is running on port 53 which is normal, however it is also running on: 1027, 1028, 102, I do not know if that is normal.
inetinfo.exe is running on port 25 and 80 which is normal, however it is also running on: 1031, 1033, 3456, I do not know if that is normal.
lsass.exe is running on 500. I do not know if this is normal
MsgSys.exe is running on 38037. I have no clue what this is. It is located in: C:\WINNT\System32\MsgSys.exe
MSTask.exe is running on 1026. This is the task scheduler, I don't know why it has an port open. It is located in: C:\WINNT\system32\MsgSys.exe
services.exe is running on 1030... I do not know if this is normal. It is located in: C:\WINNT\system32\services.exe
svchost.exe is running on 135
System is running on 445. It did not give me any application name.

Any ideas anyone? The inetinfo.exe running on 3456 seems really strange.
July 16th, 2002, 08:38 PM
nebulus200

From the first site I referenced:

FTP Publishing Service inetinfo.exe IIS Admin Service Not Installed. Read More...

IIS Admin Service inetinfo.exe Protected Storage, Remote Procedure Call (RPC) Maybe. Read More... Automatic

The blkviper one...Highly recommend reading it to see if you can turn off more...

Didn't recognize the msg ones, you might want to look a little further into that one...
Task Scheduler MSTask.exe Remote Procedure Call (RPC) Never. Read More... Automatic Automatic Manual Disabled Disabled Disabled
Should be running as MSTask not MSgSys...typo ?

M$ has an interesting habit of making its programs run back to itself (loopback) to do other tasks. I would be interested to know how many of those ports are to loopback or IP Addr 127.0.0.1 and how many were listening (IP Addr 0.0.0.0 or listen)
Those > 1024 ones should be...

Fport...
first thing that turned up in google (used cached page):
http://216.239.51.100/search?q=cache...hl=en&ie=UTF-8

38037
UDP C:\WINNT\System32\MsgSys.EXE

MsgSys.exe ? This program opened port 38037 when the Norton Antivirus Client was started as a service. In checking the properties of this file, it was actually created by Intel. A thorough search of Intel?s web page regarding this file revealed nothing. A search of the disk drive showed that this file was indeed installed during the installation of Norton Antivirus software.

That article was pretty good and should give you a rough idea of how to search around...

The indexing service had a buffer overflow vulnerability with it and was turned on by default in Win2k installations (even without IIS running). If your patches are up to date you should be ok, if they weren't before the funky stuff started happening, that is another avenue that someone might have gotten in...

The basic problem is you unfortunately waited too long to turn up the security on your box. I would recommend backing up your web pages, sorting through them to make sure no scripts or files have been altered, rebuild your server, and then dump the pages back over. That is the only way you are going to be sure that your box isn't still owned...

Hope that helps,

Neb
July 16th, 2002, 08:57 PM
jared_c

Thanks everyone you have been a big help. Neb, thank you for all the links. They are becoming very useful.

Does anyone know of a good Windows 2000 Server startup registry editor? I still can't figure out what is creating that text file with the information when I boot.
July 16th, 2002, 09:00 PM
jayle

I would be curious to know if the SanTuo.txt file re-appears if you disconnect the computer totally from the web. I know that some people have suggested an external influence may be creating this file, and this test may prove or disprove that theory. Also, and this is going to sound insane, but try temporarily write protecing the area where the file gets written to. There is an outside chance that Windows will return an error, and you can see what process is causing the write (hey, I said it was a stretch!)
July 16th, 2002, 09:02 PM
nebulus200

If memory serves:
regedt32:
HKLM\Software\Microsoft\Windows\Run\

Might also look under (but probably not)
HKLM\Software\Microsoft\Windows\RunOnce
HKLM\Software\Microsoft\Windows\RunOnceEx

And yes, that was off of a Win2k box...windows is windows I guess...

Neb
July 16th, 2002, 09:03 PM
zigar

my fav reg tool is regcleaner from http://www.jv16.org/ ....you can edit reg'd software...startup..uninstall menu...file assoc...shell extensions...new file context ...

best of all...it's free ;)
July 16th, 2002, 09:44 PM
khakisrule

Quote:

I would be curious to know if the SanTuo.txt file re-appears if you disconnect the computer totally from the web. I know that some people have suggested an external influence may be creating this file

Unlikely, this is probably a replicating trojan. I had 'em, they're mean and hard to et rid off until you find the file that is recreating them. BTW also try sysedit and find files that run on startup, and see if they look suspicious. I don't know if sysedit works in win2k but ir probably does.
July 16th, 2002, 10:00 PM
Euclid

nothing more to really add I just wanted to say that this is by far the best post i have read in a while. Not saying that other posts are crap, im just saying that i enjoyed reading this. Very informative.
July 16th, 2002, 10:17 PM
darkewolfe

check out..

You may want to check the following locations in your registry, these are the mose common places trojans (and legit apps too) will place entries:

For W2k Server...
My Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
My Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunOnce
My Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunOnceEX

You've aleady gone through your list of services, you can also check your start up folder, though I doubt it would be in there.

You can also use the command ' netstat -a ' that will show you what ports you have listening, and more importantly, what ports have established connections and to whom.

I would suggest possibly getting this box behind a firewall. If it's directly connected to the DSL modem, then I'd suggest a firewall like Sygate 5 PRO or something similar (I like the way Sygate displays individual connections, and the ability to point and kill a connection). It will take a little time to set up a firewall, but the good thing is, if you configure the firewall correctly, it will prevent alot of trojan apps from getting out, as well as protect you from incoming attacks. Good luck.
July 17th, 2002, 05:55 PM
jared_c

OK... Here is the update for you people. I wiped out the system yesterday, and did a fresh install of Windows 2000 Server.

Here is a check list of what I did security wise:

Installed only necessary components for the web server.
Installed service pack 2, and security roll up package, along with critical updates after that.
Deleted the IIS sample files
Unmapped the extensions that don't get used by IIS, .htw, .htr, etc...
Deleted the virtual directories that get automatically created with IIS.
Disabled NETBIOS over TCP/IP
Administrative shares and anonymous access restricted
Disabled anonymous access to the registry by editing a key in the registry.
Installed Norton AntiVirus Enterprise
Made sure any FTPs did not allow anonymous access.
Renamed Admin login
Used different passwords from the last box, and all passwords contain letters and numbers

And that pretty much sums it up... Tonight I am going to install AATools, and get a better look at what ports are being opened by what processes. I am going to look into those services in more detail and see if I need them on.

Is there anything else that you guys would suggest doing, or anything I may have forgotten from my check list? Thanks.
July 18th, 2002, 04:42 AM
zigar

i'd suggest 2 tools from m$ (and they're free even... :eek: )

IIS lockdown and urlscan (which is now at v2 i think)....

lockdown will scan all running services and has several levels of security...it will disable any unneeded services based on the security level you choose...

urlscan is a tool which scans all incoming url requests for "badness" and prevents them from getting to IIS...

Quote:

The tool, URLScan, screens all incoming requests to the server, and filters them based on rules set by the administrator. This secures the server by ensuring that only valid requests are processed.

URLScan is effective in protecting web servers because most attacks share a common characteristic – they involve the use of a request that’s unusual in some way. For instance, the request might be extremely long, request an unusual action, be encoded using an alternate character set, or include character sequences that are rarely seen in legitimate requests. By filtering out all unusual requests, URLScan prevents them from reaching the server and potentially causing damage.

http://www.microsoft.com/windows2000...an/default.asp